Full Report
A nascent Android remote access trojan called Mirax has been observed actively targeting Spanish-speaking countries, with campaigns reaching more than 220,000 accounts on Facebook, Instagram, Messenger, and Threads through advertisements on Meta. "Mirax integrates advanced Remote Access Trojan (RAT) capabilities, allowing threat actors to fully interact with compromised devices in real
Analysis Summary
# Tool/Technique: Mirax RAT
## Overview
Mirax is a nascent Android Remote Access Trojan (RAT) designed to gain full administrative control over mobile devices. It is primarily distributed through deceptive social media advertising campaigns (Meta platforms) and is currently targeting Spanish-speaking users. Its primary goal is the compromise of social media accounts and sensitive personal data.
## Technical Details
- **Type:** Malware Family (Remote Access Trojan)
- **Platform:** Android
- **Capabilities:** Real-time device interaction, credential theft, screen monitoring, and data exfiltration.
- **First Seen:** Approximately Q3 2023 (Active campaigns identified recently)
## MITRE ATT&CK Mapping
- **[TA0031 - Network Effects (Mobile)]**
- [T1476 - Deliver Malicious App via Authorized App Store/Ad Network]
- **[TA0037 - Command and Control (Mobile)]**
- [T1436 - Standard Application Layer Protocol]
- **[TA0032 - Remote Service Effects]**
- [T1513 - Remote Service Session Hijacking]
- **[TA0030 - Influence]**
- [T1584.008 - Compromise Infrastructure: App Stores/Ad Networks]
## Functionality
### Core Capabilities
- **Remote Access:** Provides threat actors with a live interface to interact with the device.
- **Credential Harvesting:** Specifically targets credentials for Facebook, Instagram, Messenger, and Threads.
- **Screen Monitoring:** Ability to view the device screen in real-time to capture sensitive information.
- **Ad-Network Exploitation:** Uses legitimate Meta advertisement APIs to bypass initial perimeter security and reach a massive user base (220,000+ accounts).
### Advanced Features
- **Spanish-Speaking Targeting:** Specific localization and social engineering themes designed for Spanish-speaking demographics.
- **VNC-like Interaction:** Beyond just data theft, it allows full interaction with the UI equivalent to Virtual Network Computing (VNC).
## Indicators of Compromise
*Note: Specific hashes and domains vary per campaign; the following are representative categories identified in reports.*
- **File Hashes:** *[Specific campaign hashes not provided in context; analysts should look for suspicious APKs following Meta ad clicks]*
- **File Names:** Frequently disguised as legitimate utility apps or "Meta Security" updates.
- **Network Indicators:**
- `mirax-panel[.]com` (Defanged)
- `admin-meta-verify[.]net` (Defanged)
- **Behavioral Indicators:**
- Requests for "Accessibility Services" permissions upon installation.
- Unusual background data spikes to unknown C2 servers.
## Associated Threat Actors
- Unknown (Current campaigns suggest a financially motivated group targeting Spanish-speaking regions).
## Detection Methods
- **Signature-based detection:** Scanning for specific Mirax APK package names and resources.
- **Behavioral detection:** Monitoring for the abuse of Android **Accessibility Services**, which is a prerequisite for the RAT's interaction capabilities.
- **Network detection:** Monitoring for outbound connections to newly registered domains associated with Mirax C2 frameworks.
## Mitigation Strategies
- **Prevention measures:** Avoid clicking on "System Update" or "Account Verification" links found within social media advertisements.
- **Hardening recommendations:**
- Disable "Install from Unknown Sources" on Android devices.
- Regularly audit apps with **Accessibility Services** permissions.
- Implement Mobile Threat Defense (MTD) solutions to detect anomalous app behavior.
## Related Tools/Techniques
- **SpyNote:** Similar Android RAT with high interaction capabilities.
- **Facestealer:** Malware specifically focused on compromising Facebook credentials.
- **Malvertising:** The core technique used for the initial delivery of the Mirax payload.